

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>角色 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/underscore.js"></script>
        <script src="../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="Session tags for Attribute Based Access Control in STS" href="../session-tags/" />
    <link rel="prev" title="Keycloak integration with RadosGW" href="../keycloak/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../">Ceph 对象网关</a> &raquo;</li>
        
      <li>角色</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../_sources/radosgw/role.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../">
          

          
            
            <img src="../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">Data caching and CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">KMIP Integration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keycloak/">Keycloak</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Role</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id2">新建一个角色</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id3">请求参数</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#id4">删除一角色</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id5">请求参数</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#id6">查看一角色</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id7">请求参数</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#id8">罗列角色</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id9">请求参数</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#update-assume-role-policy-document-of-a-role">Update Assume Role Policy Document of a role</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id10">请求参数</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#id11">新增、更新一个角色的策略</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id12">请求参数</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#list-permission-policy-names-attached-to-a-role">List Permission Policy Names attached to a Role</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#request-parameters">Request Parameters</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#get-permission-policy-attached-to-a-role">Get Permission Policy attached to a Role</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id13">Request Parameters</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#delete-policy-attached-to-a-role">Delete Policy attached to a Role</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id14">Request Parameters</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#id15">新建角色</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id16">删除角色</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id17">查看角色</a></li>
<li class="toctree-l3"><a class="reference internal" href="#list-roles">List Roles</a></li>
<li class="toctree-l3"><a class="reference internal" href="#update-assume-role-policy-document">Update Assume Role Policy Document</a></li>
<li class="toctree-l3"><a class="reference internal" href="#add-update-a-policy-attached-to-a-role">Add/ Update a Policy attached to a Role</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id18">List Permission Policy Names attached to a Role</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id19">Get Permission Policy attached to a Role</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id20">Delete Policy attached to a Role</a></li>
<li class="toctree-l3"><a class="reference internal" href="#tag-a-role">Tag a role</a></li>
<li class="toctree-l3"><a class="reference internal" href="#list-role-tags">List role tags</a></li>
<li class="toctree-l3"><a class="reference internal" href="#delete-role-tags">Delete role tags</a></li>
<li class="toctree-l3"><a class="reference internal" href="#sample-code-for-tagging-listing-tags-and-untagging-a-role">Sample code for tagging, listing tags and untagging a role</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="id1">
<h1>角色<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h1>
<p>A role is similar to a user and has permission policies attached to it, that determine what a role can or can not do. A role can be assumed by any identity that needs it. If a user assumes a role, a set of dynamically created temporary credentials are returned to the user. A role can be used to delegate access to users, applications, services that do not have permissions to access some s3 resources.</p>
<p>The following radosgw-admin commands can be used to create/ delete/ update a role and permissions asscociated with a role.</p>
<div class="section" id="id2">
<h2>新建一个角色<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h2>
<p>To create a role, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">create</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span> <span class="p">[</span><span class="o">--</span><span class="n">path</span><span class="o">==</span><span class="s2">&quot;{path to the role}&quot;</span><span class="p">]</span> <span class="p">[</span><span class="o">--</span><span class="n">assume</span><span class="o">-</span><span class="n">role</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">doc</span><span class="o">=</span><span class="p">{</span><span class="n">trust</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">document</span><span class="p">}]</span>
</pre></div>
</div>
<div class="section" id="id3">
<h3>请求参数<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">path</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Path to the role. The default value is a slash(/).</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">assume-role-policy-doc</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>The trust relationship policy document that grants an entity permission to assume the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">create</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span> <span class="o">--</span><span class="n">path</span><span class="o">=/</span><span class="n">application_abc</span><span class="o">/</span><span class="n">component_xyz</span><span class="o">/</span> <span class="o">--</span><span class="n">assume</span><span class="o">-</span><span class="n">role</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">doc</span><span class="o">=</span>\<span class="p">{</span>\<span class="s2">&quot;Version</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">2012-10-17</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Statement</span><span class="se">\&quot;</span><span class="s2">:\[\{</span><span class="se">\&quot;</span><span class="s2">Effect</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">Allow</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Principal</span><span class="se">\&quot;</span><span class="s2">:\{</span><span class="se">\&quot;</span><span class="s2">AWS</span><span class="se">\&quot;</span><span class="s2">:\[</span><span class="se">\&quot;</span><span class="s2">arn:aws:iam:::user/TESTER</span><span class="se">\&quot;</span><span class="s2">\]\},</span><span class="se">\&quot;</span><span class="s2">Action</span><span class="se">\&quot;</span><span class="s2">:\[</span><span class="se">\&quot;</span><span class="s2">sts:AssumeRole</span><span class="se">\&quot;</span><span class="s2">\]\}\]\}</span>
</pre></div>
</div>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
  <span class="s2">&quot;id&quot;</span><span class="o">:</span> <span class="s2">&quot;ca43045c-082c-491a-8af1-2eebca13deec&quot;</span><span class="p">,</span>
  <span class="s2">&quot;name&quot;</span><span class="o">:</span> <span class="s2">&quot;S3Access1&quot;</span><span class="p">,</span>
  <span class="s2">&quot;path&quot;</span><span class="o">:</span> <span class="s2">&quot;/application_abc/component_xyz/&quot;</span><span class="p">,</span>
  <span class="s2">&quot;arn&quot;</span><span class="o">:</span> <span class="s2">&quot;arn:aws:iam:::role/application_abc/component_xyz/S3Access1&quot;</span><span class="p">,</span>
  <span class="s2">&quot;create_date&quot;</span><span class="o">:</span> <span class="s2">&quot;2018-10-17T10:18:29.116Z&quot;</span><span class="p">,</span>
  <span class="s2">&quot;max_session_duration&quot;</span><span class="o">:</span> <span class="mf">3600</span><span class="p">,</span>
  <span class="s2">&quot;assume_role_policy_document&quot;</span><span class="o">:</span> <span class="s2">&quot;{\&quot;Version\&quot;:\&quot;2012-10-17\&quot;,\&quot;Statement\&quot;:[{\&quot;Effect\&quot;:\&quot;Allow\&quot;,\&quot;Principal\&quot;:{\&quot;AWS\&quot;:[\&quot;arn:aws:iam:::user/TESTER\&quot;]},\&quot;Action\&quot;:[\&quot;sts:AssumeRole\&quot;]}]}&quot;</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="id4">
<h2>删除一角色<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h2>
<p>To delete a role, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">delete</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span>
</pre></div>
</div>
<div class="section" id="id5">
<h3>请求参数<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">delete</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span>
</pre></div>
</div>
<p>Note: A role can be deleted only when it doesn’t have any permission policy attached to it.</p>
</div>
</div>
<div class="section" id="id6">
<h2>查看一角色<a class="headerlink" href="#id6" title="Permalink to this headline">¶</a></h2>
<p>To get information about a role, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">get</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span>
</pre></div>
</div>
<div class="section" id="id7">
<h3>请求参数<a class="headerlink" href="#id7" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">get</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span>
</pre></div>
</div>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
  <span class="s2">&quot;id&quot;</span><span class="o">:</span> <span class="s2">&quot;ca43045c-082c-491a-8af1-2eebca13deec&quot;</span><span class="p">,</span>
  <span class="s2">&quot;name&quot;</span><span class="o">:</span> <span class="s2">&quot;S3Access1&quot;</span><span class="p">,</span>
  <span class="s2">&quot;path&quot;</span><span class="o">:</span> <span class="s2">&quot;/application_abc/component_xyz/&quot;</span><span class="p">,</span>
  <span class="s2">&quot;arn&quot;</span><span class="o">:</span> <span class="s2">&quot;arn:aws:iam:::role/application_abc/component_xyz/S3Access1&quot;</span><span class="p">,</span>
  <span class="s2">&quot;create_date&quot;</span><span class="o">:</span> <span class="s2">&quot;2018-10-17T10:18:29.116Z&quot;</span><span class="p">,</span>
  <span class="s2">&quot;max_session_duration&quot;</span><span class="o">:</span> <span class="mf">3600</span><span class="p">,</span>
  <span class="s2">&quot;assume_role_policy_document&quot;</span><span class="o">:</span> <span class="s2">&quot;{\&quot;Version\&quot;:\&quot;2012-10-17\&quot;,\&quot;Statement\&quot;:[{\&quot;Effect\&quot;:\&quot;Allow\&quot;,\&quot;Principal\&quot;:{\&quot;AWS\&quot;:[\&quot;arn:aws:iam:::user/TESTER\&quot;]},\&quot;Action\&quot;:[\&quot;sts:AssumeRole\&quot;]}]}&quot;</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="id8">
<h2>罗列角色<a class="headerlink" href="#id8" title="Permalink to this headline">¶</a></h2>
<p>To list roles with a specified path prefix, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="nb">list</span> <span class="p">[</span><span class="o">--</span><span class="n">path</span><span class="o">-</span><span class="n">prefix</span> <span class="o">=</span><span class="p">{</span><span class="n">path</span> <span class="n">prefix</span><span class="p">}]</span>
</pre></div>
</div>
<div class="section" id="id9">
<h3>请求参数<a class="headerlink" href="#id9" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">path-prefix</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Path prefix for filtering roles. If this is not specified, all roles are listed.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="nb">list</span> <span class="o">--</span><span class="n">path</span><span class="o">-</span><span class="n">prefix</span><span class="o">=</span><span class="s2">&quot;/application&quot;</span>
</pre></div>
</div>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="p">[</span>
  <span class="p">{</span>
      <span class="s2">&quot;id&quot;</span><span class="o">:</span> <span class="s2">&quot;3e1c0ff7-8f2b-456c-8fdf-20f428ba6a7f&quot;</span><span class="p">,</span>
      <span class="s2">&quot;name&quot;</span><span class="o">:</span> <span class="s2">&quot;S3Access1&quot;</span><span class="p">,</span>
      <span class="s2">&quot;path&quot;</span><span class="o">:</span> <span class="s2">&quot;/application_abc/component_xyz/&quot;</span><span class="p">,</span>
      <span class="s2">&quot;arn&quot;</span><span class="o">:</span> <span class="s2">&quot;arn:aws:iam:::role/application_abc/component_xyz/S3Access1&quot;</span><span class="p">,</span>
      <span class="s2">&quot;create_date&quot;</span><span class="o">:</span> <span class="s2">&quot;2018-10-17T10:32:01.881Z&quot;</span><span class="p">,</span>
      <span class="s2">&quot;max_session_duration&quot;</span><span class="o">:</span> <span class="mf">3600</span><span class="p">,</span>
      <span class="s2">&quot;assume_role_policy_document&quot;</span><span class="o">:</span> <span class="s2">&quot;{\&quot;Version\&quot;:\&quot;2012-10-17\&quot;,\&quot;Statement\&quot;:[{\&quot;Effect\&quot;:\&quot;Allow\&quot;,\&quot;Principal\&quot;:{\&quot;AWS\&quot;:[\&quot;arn:aws:iam:::user/TESTER\&quot;]},\&quot;Action\&quot;:[\&quot;sts:AssumeRole\&quot;]}]}&quot;</span>
  <span class="p">}</span>
<span class="p">]</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="update-assume-role-policy-document-of-a-role">
<h2>Update Assume Role Policy Document of a role<a class="headerlink" href="#update-assume-role-policy-document-of-a-role" title="Permalink to this headline">¶</a></h2>
<p>To modify a role’s assume role policy document, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">modify</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span> <span class="o">--</span><span class="n">assume</span><span class="o">-</span><span class="n">role</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">doc</span><span class="o">=</span><span class="p">{</span><span class="n">trust</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">document</span><span class="p">}</span>
</pre></div>
</div>
<div class="section" id="id10">
<h3>请求参数<a class="headerlink" href="#id10" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">assume-role-policy-doc</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>The trust relationship policy document that grants an entity permission to assume the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">modify</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span> <span class="o">--</span><span class="n">assume</span><span class="o">-</span><span class="n">role</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">doc</span><span class="o">=</span>\<span class="p">{</span>\<span class="s2">&quot;Version</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">2012-10-17</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Statement</span><span class="se">\&quot;</span><span class="s2">:\[\{</span><span class="se">\&quot;</span><span class="s2">Effect</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">Allow</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Principal</span><span class="se">\&quot;</span><span class="s2">:\{</span><span class="se">\&quot;</span><span class="s2">AWS</span><span class="se">\&quot;</span><span class="s2">:\[</span><span class="se">\&quot;</span><span class="s2">arn:aws:iam:::user/TESTER2</span><span class="se">\&quot;</span><span class="s2">\]\},</span><span class="se">\&quot;</span><span class="s2">Action</span><span class="se">\&quot;</span><span class="s2">:\[</span><span class="se">\&quot;</span><span class="s2">sts:AssumeRole</span><span class="se">\&quot;</span><span class="s2">\]\}\]\}</span>
</pre></div>
</div>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
  <span class="s2">&quot;id&quot;</span><span class="o">:</span> <span class="s2">&quot;ca43045c-082c-491a-8af1-2eebca13deec&quot;</span><span class="p">,</span>
  <span class="s2">&quot;name&quot;</span><span class="o">:</span> <span class="s2">&quot;S3Access1&quot;</span><span class="p">,</span>
  <span class="s2">&quot;path&quot;</span><span class="o">:</span> <span class="s2">&quot;/application_abc/component_xyz/&quot;</span><span class="p">,</span>
  <span class="s2">&quot;arn&quot;</span><span class="o">:</span> <span class="s2">&quot;arn:aws:iam:::role/application_abc/component_xyz/S3Access1&quot;</span><span class="p">,</span>
  <span class="s2">&quot;create_date&quot;</span><span class="o">:</span> <span class="s2">&quot;2018-10-17T10:18:29.116Z&quot;</span><span class="p">,</span>
  <span class="s2">&quot;max_session_duration&quot;</span><span class="o">:</span> <span class="mf">3600</span><span class="p">,</span>
  <span class="s2">&quot;assume_role_policy_document&quot;</span><span class="o">:</span> <span class="s2">&quot;{\&quot;Version\&quot;:\&quot;2012-10-17\&quot;,\&quot;Statement\&quot;:[{\&quot;Effect\&quot;:\&quot;Allow\&quot;,\&quot;Principal\&quot;:{\&quot;AWS\&quot;:[\&quot;arn:aws:iam:::user/TESTER2\&quot;]},\&quot;Action\&quot;:[\&quot;sts:AssumeRole\&quot;]}]}&quot;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>In the above example, we are modifying the Principal from TESTER to TESTER2 in its assume role policy document.</p>
</div>
</div>
<div class="section" id="id11">
<h2>新增、更新一个角色的策略<a class="headerlink" href="#id11" title="Permalink to this headline">¶</a></h2>
<p>To add or update the inline policy attached to a role, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">policy</span> <span class="n">put</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="p">}</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">doc</span><span class="o">=</span><span class="p">{</span><span class="n">permission</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">doc</span><span class="p">}</span>
</pre></div>
</div>
<div class="section" id="id12">
<h3>请求参数<a class="headerlink" href="#id12" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">policy-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the policy.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">policy-doc</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>The Permission policy document.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span><span class="o">-</span><span class="n">policy</span> <span class="n">put</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">Policy1</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">doc</span><span class="o">=</span>\<span class="p">{</span>\<span class="s2">&quot;Version</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">2012-10-17</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Statement</span><span class="se">\&quot;</span><span class="s2">:\[\{</span><span class="se">\&quot;</span><span class="s2">Effect</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">Allow</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Action</span><span class="se">\&quot;</span><span class="s2">:\[</span><span class="se">\&quot;</span><span class="s2">s3:*</span><span class="se">\&quot;</span><span class="s2">\],</span><span class="se">\&quot;</span><span class="s2">Resource</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">arn:aws:s3:::example_bucket</span><span class="se">\&quot;</span><span class="s2">\}\]\}</span>
</pre></div>
</div>
<p>In the above example, we are attaching a policy ‘Policy1’ to role ‘S3Access1’, which allows all s3 actions on ‘example_bucket’.</p>
</div>
</div>
<div class="section" id="list-permission-policy-names-attached-to-a-role">
<h2>List Permission Policy Names attached to a Role<a class="headerlink" href="#list-permission-policy-names-attached-to-a-role" title="Permalink to this headline">¶</a></h2>
<p>To list the names of permission policies attached to a role, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">policy</span> <span class="n">get</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span>
</pre></div>
</div>
<div class="section" id="request-parameters">
<h3>Request Parameters<a class="headerlink" href="#request-parameters" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span><span class="o">-</span><span class="n">policy</span> <span class="nb">list</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span>
</pre></div>
</div>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="p">[</span>
  <span class="s2">&quot;Policy1&quot;</span>
<span class="p">]</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="get-permission-policy-attached-to-a-role">
<h2>Get Permission Policy attached to a Role<a class="headerlink" href="#get-permission-policy-attached-to-a-role" title="Permalink to this headline">¶</a></h2>
<p>To get a specific permission policy attached to a role, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">policy</span> <span class="n">get</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="p">}</span>
</pre></div>
</div>
<div class="section" id="id13">
<h3>Request Parameters<a class="headerlink" href="#id13" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">policy-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the policy.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span><span class="o">-</span><span class="n">policy</span> <span class="n">get</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">Policy1</span>
</pre></div>
</div>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
  <span class="s2">&quot;Permission policy&quot;</span><span class="o">:</span> <span class="s2">&quot;{\&quot;Version\&quot;:\&quot;2012-10-17\&quot;,\&quot;Statement\&quot;:[{\&quot;Effect\&quot;:\&quot;Allow\&quot;,\&quot;Action\&quot;:[\&quot;s3:*\&quot;],\&quot;Resource\&quot;:\&quot;arn:aws:s3:::example_bucket\&quot;}]}&quot;</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="delete-policy-attached-to-a-role">
<h2>Delete Policy attached to a Role<a class="headerlink" href="#delete-policy-attached-to-a-role" title="Permalink to this headline">¶</a></h2>
<p>To delete permission policy attached to a role, execute the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span> <span class="n">policy</span> <span class="n">delete</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="p">}</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="p">{</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="p">}</span>
</pre></div>
</div>
<div class="section" id="id14">
<h3>Request Parameters<a class="headerlink" href="#id14" title="Permalink to this headline">¶</a></h3>
<p><code class="docutils literal notranslate"><span class="pre">role-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the role.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">policy-name</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">Description</dt>
<dd class="field-odd"><p>Name of the policy.</p>
</dd>
<dt class="field-even">Type</dt>
<dd class="field-even"><p>String</p>
</dd>
</dl>
<p>For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">radosgw</span><span class="o">-</span><span class="n">admin</span> <span class="n">role</span><span class="o">-</span><span class="n">policy</span> <span class="n">delete</span> <span class="o">--</span><span class="n">role</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">S3Access1</span> <span class="o">--</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="o">=</span><span class="n">Policy1</span>
</pre></div>
</div>
<div class="section" id="rest-api">
<h4>操作角色的 REST API<a class="headerlink" href="#rest-api" title="Permalink to this headline">¶</a></h4>
<p>In addition to the above radosgw-admin commands, the following REST APIs can be used for manipulating a role. For the request parameters and their explanations, refer to the sections above.</p>
<p>In order to invoke the REST admin APIs, a user with admin caps needs to be created.</p>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="nx">radosgw</span><span class="o">-</span><span class="nx">admin</span> <span class="o">--</span><span class="nx">uid</span> <span class="nx">TESTER</span> <span class="o">--</span><span class="nx">display</span><span class="o">-</span><span class="nx">name</span> <span class="s2">&quot;TestUser&quot;</span> <span class="o">--</span><span class="nx">access_key</span> <span class="nx">TESTER</span> <span class="o">--</span><span class="nx">secret</span> <span class="nx">test123</span> <span class="nx">user</span> <span class="nx">create</span>
<span class="nx">radosgw</span><span class="o">-</span><span class="nx">admin</span> <span class="nx">caps</span> <span class="nx">add</span> <span class="o">--</span><span class="nx">uid</span><span class="o">=</span><span class="s2">&quot;TESTER&quot;</span> <span class="o">--</span><span class="nx">caps</span><span class="o">=</span><span class="s2">&quot;roles=*&quot;</span>
</pre></div>
</div>
</div>
</div>
</div>
<div class="section" id="id15">
<h2>新建角色<a class="headerlink" href="#id15" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=CreateRole&amp;RoleName=S3Access&amp;Path=/application_abc/component_xyz/&amp;AssumeRolePolicyDocument={&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;AWS&quot;:[&quot;arn:aws:iam:::user/TESTER&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRole&quot;]}]}”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;role&gt;</span>
  <span class="nt">&lt;id&gt;</span>8f41f4e0-7094-4dc0-ac20-074a881ccbc5<span class="nt">&lt;/id&gt;</span>
  <span class="nt">&lt;name&gt;</span>S3Access<span class="nt">&lt;/name&gt;</span>
  <span class="nt">&lt;path&gt;</span>/application_abc/component_xyz/<span class="nt">&lt;/path&gt;</span>
  <span class="nt">&lt;arn&gt;</span>arn:aws:iam:::role/application_abc/component_xyz/S3Access<span class="nt">&lt;/arn&gt;</span>
  <span class="nt">&lt;create_date&gt;</span>2018-10-23T07:43:42.811Z<span class="nt">&lt;/create_date&gt;</span>
  <span class="nt">&lt;max_session_duration&gt;</span>3600<span class="nt">&lt;/max_session_duration&gt;</span>
  <span class="nt">&lt;assume_role_policy_document&gt;</span>{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;AWS&quot;:[&quot;arn:aws:iam:::user/TESTER&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRole&quot;]}]}<span class="nt">&lt;/assume_role_policy_document&gt;</span>
<span class="nt">&lt;/role&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="id16">
<h2>删除角色<a class="headerlink" href="#id16" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=DeleteRole&amp;RoleName=S3Access”</p>
</dd>
</dl>
<p>Note: A role can be deleted only when it doesn’t have any permission policy attached to it.</p>
</div>
<div class="section" id="id17">
<h2>查看角色<a class="headerlink" href="#id17" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=GetRole&amp;RoleName=S3Access”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;role&gt;</span>
  <span class="nt">&lt;id&gt;</span>8f41f4e0-7094-4dc0-ac20-074a881ccbc5<span class="nt">&lt;/id&gt;</span>
  <span class="nt">&lt;name&gt;</span>S3Access<span class="nt">&lt;/name&gt;</span>
  <span class="nt">&lt;path&gt;</span>/application_abc/component_xyz/<span class="nt">&lt;/path&gt;</span>
  <span class="nt">&lt;arn&gt;</span>arn:aws:iam:::role/application_abc/component_xyz/S3Access<span class="nt">&lt;/arn&gt;</span>
  <span class="nt">&lt;create_date&gt;</span>2018-10-23T07:43:42.811Z<span class="nt">&lt;/create_date&gt;</span>
  <span class="nt">&lt;max_session_duration&gt;</span>3600<span class="nt">&lt;/max_session_duration&gt;</span>
  <span class="nt">&lt;assume_role_policy_document&gt;</span>{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;AWS&quot;:[&quot;arn:aws:iam:::user/TESTER&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRole&quot;]}]}<span class="nt">&lt;/assume_role_policy_document&gt;</span>
<span class="nt">&lt;/role&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="list-roles">
<h2>List Roles<a class="headerlink" href="#list-roles" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=ListRoles&amp;RoleName=S3Access&amp;PathPrefix=/application”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;role&gt;</span>
  <span class="nt">&lt;id&gt;</span>8f41f4e0-7094-4dc0-ac20-074a881ccbc5<span class="nt">&lt;/id&gt;</span>
  <span class="nt">&lt;name&gt;</span>S3Access<span class="nt">&lt;/name&gt;</span>
  <span class="nt">&lt;path&gt;</span>/application_abc/component_xyz/<span class="nt">&lt;/path&gt;</span>
  <span class="nt">&lt;arn&gt;</span>arn:aws:iam:::role/application_abc/component_xyz/S3Access<span class="nt">&lt;/arn&gt;</span>
  <span class="nt">&lt;create_date&gt;</span>2018-10-23T07:43:42.811Z<span class="nt">&lt;/create_date&gt;</span>
  <span class="nt">&lt;max_session_duration&gt;</span>3600<span class="nt">&lt;/max_session_duration&gt;</span>
  <span class="nt">&lt;assume_role_policy_document&gt;</span>{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;AWS&quot;:[&quot;arn:aws:iam:::user/TESTER&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRole&quot;]}]}<span class="nt">&lt;/assume_role_policy_document&gt;</span>
<span class="nt">&lt;/role&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="update-assume-role-policy-document">
<h2>Update Assume Role Policy Document<a class="headerlink" href="#update-assume-role-policy-document" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=UpdateAssumeRolePolicy&amp;RoleName=S3Access&amp;PolicyDocument={&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;AWS&quot;:[&quot;arn:aws:iam:::user/TESTER2&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRole&quot;]}]}”</p>
</dd>
</dl>
</div>
<div class="section" id="add-update-a-policy-attached-to-a-role">
<h2>Add/ Update a Policy attached to a Role<a class="headerlink" href="#add-update-a-policy-attached-to-a-role" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=PutRolePolicy&amp;RoleName=S3Access&amp;PolicyName=Policy1&amp;PolicyDocument={&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Action&quot;:[&quot;s3:CreateBucket&quot;],&quot;Resource&quot;:&quot;arn:aws:s3:::example_bucket&quot;}]}”</p>
</dd>
</dl>
</div>
<div class="section" id="id18">
<h2>List Permission Policy Names attached to a Role<a class="headerlink" href="#id18" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=ListRolePolicies&amp;RoleName=S3Access”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;PolicyNames&gt;</span>
  <span class="nt">&lt;member&gt;</span>Policy1<span class="nt">&lt;/member&gt;</span>
<span class="nt">&lt;/PolicyNames&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="id19">
<h2>Get Permission Policy attached to a Role<a class="headerlink" href="#id19" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=GetRolePolicy&amp;RoleName=S3Access&amp;PolicyName=Policy1”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;GetRolePolicyResult&gt;</span>
  <span class="nt">&lt;PolicyName&gt;</span>Policy1<span class="nt">&lt;/PolicyName&gt;</span>
  <span class="nt">&lt;RoleName&gt;</span>S3Access<span class="nt">&lt;/RoleName&gt;</span>
  <span class="nt">&lt;Permission_policy&gt;</span>{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Action&quot;:[&quot;s3:CreateBucket&quot;],&quot;Resource&quot;:&quot;arn:aws:s3:::example_bucket&quot;}]}<span class="nt">&lt;/Permission_policy&gt;</span>
<span class="nt">&lt;/GetRolePolicyResult&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="id20">
<h2>Delete Policy attached to a Role<a class="headerlink" href="#id20" title="Permalink to this headline">¶</a></h2>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=DeleteRolePolicy&amp;RoleName=S3Access&amp;PolicyName=Policy1”</p>
</dd>
</dl>
</div>
<div class="section" id="tag-a-role">
<h2>Tag a role<a class="headerlink" href="#tag-a-role" title="Permalink to this headline">¶</a></h2>
<p>A role can have multivalued tags attached to it. These tags can be passed in as part of CreateRole REST API also.
AWS does not support multi-valued role tags.</p>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=TagRole&amp;RoleName=S3Access&amp;Tags.member.1.Key=Department&amp;Tags.member.1.Value=Engineering”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;TagRoleResponse&gt;</span>
  <span class="nt">&lt;ResponseMetadata&gt;</span>
    <span class="nt">&lt;RequestId&gt;</span>tx000000000000000000004-00611f337e-1027-default<span class="nt">&lt;/RequestId&gt;</span>
  <span class="nt">&lt;/ResponseMetadata&gt;</span>
<span class="nt">&lt;/TagRoleResponse&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="list-role-tags">
<h2>List role tags<a class="headerlink" href="#list-role-tags" title="Permalink to this headline">¶</a></h2>
<p>Lists the tags attached to a role.</p>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=ListRoleTags&amp;RoleName=S3Access”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;ListRoleTagsResponse&gt;</span>
  <span class="nt">&lt;ListRoleTagsResult&gt;</span>
    <span class="nt">&lt;Tags&gt;</span>
      <span class="nt">&lt;member&gt;</span>
        <span class="nt">&lt;Key&gt;</span>Department<span class="nt">&lt;/Key&gt;</span>
        <span class="nt">&lt;Value&gt;</span>Engineering<span class="nt">&lt;/Value&gt;</span>
      <span class="nt">&lt;/member&gt;</span>
    <span class="nt">&lt;/Tags&gt;</span>
  <span class="nt">&lt;/ListRoleTagsResult&gt;</span>
  <span class="nt">&lt;ResponseMetadata&gt;</span>
    <span class="nt">&lt;RequestId&gt;</span>tx000000000000000000005-00611f337e-1027-default<span class="nt">&lt;/RequestId&gt;</span>
  <span class="nt">&lt;/ResponseMetadata&gt;</span>
<span class="nt">&lt;/ListRoleTagsResponse&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="delete-role-tags">
<h2>Delete role tags<a class="headerlink" href="#delete-role-tags" title="Permalink to this headline">¶</a></h2>
<p>Delete a tag/ tags attached to a role.</p>
<dl class="simple">
<dt>Example::</dt><dd><p>POST “&lt;hostname&gt;?Action=UntagRoles&amp;RoleName=S3Access&amp;TagKeys.member.1=Department”</p>
</dd>
</dl>
<div class="highlight-XML notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;UntagRoleResponse&gt;</span>
  <span class="nt">&lt;ResponseMetadata&gt;</span>
    <span class="nt">&lt;RequestId&gt;</span>tx000000000000000000007-00611f337e-1027-default<span class="nt">&lt;/RequestId&gt;</span>
  <span class="nt">&lt;/ResponseMetadata&gt;</span>
<span class="nt">&lt;/UntagRoleResponse&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="sample-code-for-tagging-listing-tags-and-untagging-a-role">
<h2>Sample code for tagging, listing tags and untagging a role<a class="headerlink" href="#sample-code-for-tagging-listing-tags-and-untagging-a-role" title="Permalink to this headline">¶</a></h2>
<p>The following is sample code for adding tags to role, listing tags and untagging a role using boto3.</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="kn">import</span> <span class="nn">boto3</span>

<span class="n">access_key</span> <span class="o">=</span> <span class="s1">&#39;TESTER&#39;</span>
<span class="n">secret_key</span> <span class="o">=</span> <span class="s1">&#39;test123&#39;</span>

<span class="n">iam_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;iam&#39;</span><span class="p">,</span>
<span class="n">aws_access_key_id</span><span class="o">=</span><span class="n">access_key</span><span class="p">,</span>
<span class="n">aws_secret_access_key</span><span class="o">=</span><span class="n">secret_key</span><span class="p">,</span>
<span class="n">endpoint_url</span><span class="o">=</span><span class="s1">&#39;http://s3.us-east.localhost:8000&#39;</span><span class="p">,</span>
<span class="n">region_name</span><span class="o">=</span><span class="s1">&#39;&#39;</span>
<span class="p">)</span>

<span class="n">policy_document</span> <span class="o">=</span> <span class="s2">&quot;{</span><span class="se">\&quot;</span><span class="s2">Version</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">2012-10-17</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Statement</span><span class="se">\&quot;</span><span class="s2">:[{</span><span class="se">\&quot;</span><span class="s2">Effect</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">Allow</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Principal</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">Federated</span><span class="se">\&quot;</span><span class="s2">:[</span><span class="se">\&quot;</span><span class="s2">arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart</span><span class="se">\&quot;</span><span class="s2">]},</span><span class="se">\&quot;</span><span class="s2">Action</span><span class="se">\&quot;</span><span class="s2">:[</span><span class="se">\&quot;</span><span class="s2">sts:AssumeRoleWithWebIdentity</span><span class="se">\&quot;</span><span class="s2">],</span><span class="se">\&quot;</span><span class="s2">Condition</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">StringEquals</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">localhost:8080/auth/realms/quickstart:sub</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">user1</span><span class="se">\&quot;</span><span class="s2">}}}]}&quot;</span>

<span class="nb">print</span> <span class="p">(</span><span class="s2">&quot;</span><span class="se">\n</span><span class="s2"> Creating Role with tags</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">)</span>
<span class="n">tags_list</span> <span class="o">=</span> <span class="p">[</span>
    <span class="p">{</span><span class="s1">&#39;Key&#39;</span><span class="p">:</span><span class="s1">&#39;Department&#39;</span><span class="p">,</span><span class="s1">&#39;Value&#39;</span><span class="p">:</span><span class="s1">&#39;Engineering&#39;</span><span class="p">}</span>
<span class="p">]</span>
<span class="n">role_response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">create_role</span><span class="p">(</span>
    <span class="n">AssumeRolePolicyDocument</span><span class="o">=</span><span class="n">policy_document</span><span class="p">,</span>
    <span class="n">Path</span><span class="o">=</span><span class="s1">&#39;/&#39;</span><span class="p">,</span>
    <span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span><span class="p">,</span>
    <span class="n">Tags</span><span class="o">=</span><span class="n">tags_list</span><span class="p">,</span>
<span class="p">)</span>

<span class="nb">print</span> <span class="p">(</span><span class="s2">&quot;Adding tags to role</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">)</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">tag_role</span><span class="p">(</span>
            <span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span><span class="p">,</span>
            <span class="n">Tags</span><span class="o">=</span> <span class="p">[</span>
                    <span class="p">{</span><span class="s1">&#39;Key&#39;</span><span class="p">:</span><span class="s1">&#39;CostCenter&#39;</span><span class="p">,</span><span class="s1">&#39;Value&#39;</span><span class="p">:</span><span class="s1">&#39;123456&#39;</span><span class="p">}</span>
                <span class="p">]</span>
            <span class="p">)</span>
<span class="nb">print</span> <span class="p">(</span><span class="s2">&quot;Listing role tags</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">)</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">list_role_tags</span><span class="p">(</span>
            <span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span>
            <span class="p">)</span>
<span class="nb">print</span> <span class="p">(</span><span class="n">response</span><span class="p">)</span>
<span class="nb">print</span> <span class="p">(</span><span class="s2">&quot;Untagging role</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">)</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">untag_role</span><span class="p">(</span>
    <span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span><span class="p">,</span>
    <span class="n">TagKeys</span><span class="o">=</span><span class="p">[</span>
        <span class="s1">&#39;Department&#39;</span><span class="p">,</span>
    <span class="p">]</span>
<span class="p">)</span>
</pre></div>
</div>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../session-tags/" class="btn btn-neutral float-right" title="Session tags for Attribute Based Access Control in STS" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../keycloak/" class="btn btn-neutral float-left" title="Keycloak integration with RadosGW" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>